Wanna Cry Ransomware Quick Analysis

Today is a bad day. Shadowbroker leak of NSA's exploits lead to weaponization of emails with MS17-010 the SMB vulnerability exploitation and delivery of Wanna Cry Ransomware. As I write this blog post, havoc is wrecked all over Europe and several entities have reported Wanna Cry infections and destruction of data, specially NHS in UK and entities in Spain.

I got hold of the ransomware sample (unfortunately not the delivery mechanism like the actual payload of exploit). Since I was short of time, I did a quick analysis, which might help IR teams with IOCs and YARA rules etc.

icacls command is used to grant access to Everyone using ACLs to the current working directory

We can see msg folder created, which contains the Ransom note in various languages. We also see some other binaries created and the decryptor tool called "u.wnry" or "@WanaDecryptor@.exe". A shortcut to the decryptor is also created for unknown reasons. The batch and vbs file execution is basically used to create this shortcut. We can also see two other binaries namely: taskdl.exe and taskse.exe. Some other files with extensions .eky and .pky most probably related to encryption.

We can see the ransome note in English

We can see addresses of the tor sites in c.wnry

s.wnry is the archive from the resource in the binary:

unzipping this archive file results in the following. This is the tor program:

I tried clicking on the "Contact Us", where we can enter text in a form and submit. If the internet conn fails then the following message is received. This confirms that the above tor sites are used by the decryptor to communicate

Some reg keys added:

After encryption the following message appears no the desktop:

I close the decryptor tool but the process keeps running and
keeps popping up the decryptor window:

I tried running the other two dropped binaries as well. Notice their Description. SQL Client Configuration Utility EXE and "waitfor...."